Law in the Internet Society

Power Conferred with Authentication

Try to justify authentication

We as individuals interact with a number of online sites and services every day, which usually require an account to access, typically with a username and password. Depending on the required degree of assurance, the type of information collected might include verifiable email addresses or phone numbers, as well as signed credentials by which certified authorities can confer trust. In the online world we increasingly call on third-party providers, like Facebook, to “authenticate” us and enable us to interact with our service providers. The question is whether we should trust this authentication process.

On one hand, it seems to be understandable why the authentication process shall exist. Through different channels, online and offline, private and public companies build up numerous identifiers for each single user. We become different persons in each channel, represented by an email ID, a customer login, etc. For a reliable authentication, the service provider will need to re-establish sufficient amount of information about the user.

Companies like Facebook has multiple data points about its users, potentially across various app. According to the Washington Post, Facebook aims to collect at least 98 data points for the purpose of ensuring that targeted ads are “useful and relevant.” This includes demographics like our age and ethnicity, our on-line activities such as the pages we like and the ads we click, and our device and location settings such as the brand of phone we use and our type of internet connection. In some cases, even offline data are being added to complete the picture. What Facebook is doing is to re-identify the fragmented online information and linking the data back to one unitary person that can be targeted, profiled, and surveilled. This in turn enables Facebook to more accurately determine the truth of information provided.

Take a step back

With the increasing amount of authentication needed, the underlying assumption seems to be that everyone is trying to commit fraud. It suggests that the more transparent we are, the more trustworthy we are. This assumption puts forward the question of power over declaring us rightful or not.

The ability to force individuals to justify their trustworthiness with high assurance, to whichever third parties may ask, is a position of true power. It is extremely dangerous to embed this power of defining standards and policies in a concentrated group of revenue-seeking organizations such as Facebook. If Facebook is not neutral enough, how long would it take until decisions are being taken to exclude individuals or groups, until information is being captured that can harm people and lead to repercussions, or until the right to have a passport would be too expensive for some citizens? And if they define the standards, who will control them? And how will competitors be able to enter the market?

During the US House of Representatives Financial Services Committee on the 17th of July, Facebook’s crypto chief David Marcus, was asked if people who have been banned from Facebook’s social network like Milo Yiannopoulos and Louis Farrakhan would be allowed to use Libra. The answer was: “We haven’t written the policy yet,” indicating that the rules of entry will be written by Facebook. But what business does Facebook have in setting public policy anyway?

Markus was asked how Facebook will make money from Libra. Marcus said Facebook will benefit in two ways: First, the 90 million businesses on Facebook’s platform will be able to make transactions with one another. Marcus predicted the increased commerce on the platform would help small businesses expand and ultimately spend more money on Facebook ads. But more importantly, second, “Facebook would offer more services in partnerships with banks and other organizations, from which it would expect to make money.” This second business stream seems to be where Facebook will become the authentication provider for many more businesses.

Solution, if any?

In the offline world, identity is a sovereign right traditionally only controlled by governments. Handing this right over to a handful of selected private parties with a revenue-driven target could lead to biased decision-making and illegitimate sharing of information. Following the argument offered by Alexandria Ocasio-Cortez: if money is a social good, then we should finally determine that the right of individuals to establish and maintain multiple, unlinked identities is a social good. And a social good should be managed by all participants from the private and public sector, including the individuals themselves.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r3 - 03 Feb 2020 - 00:13:38 - MengyiTu
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM